From d8f91696b8a6666ba30e5710708f0534aafeac22 Mon Sep 17 00:00:00 2001 From: hamid ghaf Date: Mon, 14 Feb 2022 15:15:27 -0800 Subject: [PATCH 1/2] Delete an MFA methodID only if it is not used by an MFA enforcement config --- vault/login_mfa.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/vault/login_mfa.go b/vault/login_mfa.go index 017024860936..abb04ab6559b 100644 --- a/vault/login_mfa.go +++ b/vault/login_mfa.go @@ -2575,6 +2575,18 @@ func (b *LoginMFABackend) deleteMFAConfigByMethodID(ctx context.Context, configI b.mfaLock.Lock() defer b.mfaLock.Unlock() + eConfigIter, err := b.MemDBMFALoginEnforcementConfigIterator() + if err != nil { + return err + } + + for eConfigRaw := eConfigIter.Next(); eConfigRaw != nil; eConfigRaw = eConfigIter.Next() { + eConfig := eConfigRaw.(*mfa.MFAEnforcementConfig) + if strutil.StrListContains(eConfig.MFAMethodIDs, configID) { + return fmt.Errorf("methodID is still used by an enforcement configuration with ID: %s", eConfig.ID) + } + } + // Delete the config from storage entryIndex := prefix + configID err = b.Core.systemBarrierView.Delete(ctx, entryIndex) From 0619fc39a32e2d36a04d054f283fccc4db28b3cb Mon Sep 17 00:00:00 2001 From: hamid ghaf Date: Mon, 14 Feb 2022 20:02:51 -0800 Subject: [PATCH 2/2] Fixing a bug: mfa/validate is an unauthenticated path, and goes through the handleLoginRequest path --- vault/request_handling.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vault/request_handling.go b/vault/request_handling.go index 06203d2d3e9a..bbac6b6e5556 100644 --- a/vault/request_handling.go +++ b/vault/request_handling.go @@ -1075,7 +1075,7 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp // Only the token store is allowed to return an auth block, for any // other request this is an internal error. if resp != nil && resp.Auth != nil { - if !strings.HasPrefix(req.Path, "auth/token/") && req.Path != "sys/mfa/validate" { + if !strings.HasPrefix(req.Path, "auth/token/") { c.logger.Error("unexpected Auth response for non-token backend", "request_path", req.Path) retErr = multierror.Append(retErr, ErrInternalError) return nil, auth, retErr @@ -1303,7 +1303,7 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re return } // If the response generated an authentication, then generate the token - if resp != nil && resp.Auth != nil { + if resp != nil && resp.Auth != nil && req.Path != "sys/mfa/validate" { leaseGenerated := false // by placing this after the authorization check, we don't leak